-
Notifications
You must be signed in to change notification settings - Fork 278
Network Operations
Hide TCP or UDP port from being listed on tools like netstat. The hook is done via IRP hook (not Patchguard safe) and the explanation below is on the logic of the hook itself.
NTSTATUS NsiIrpComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
DeviceObject [PDEVICE_OBJECT] -- Driver device object.
Irp [PIRP] -- Pointer to the Irp.
Context [PVOID] -- Irp context.# Hide port
NidhoggClient.exe port hide <port number> <tcp/udp> <local/remote>
# Unhide port
NidhoggClient.exe port unhide <port number> <tcp/udp> <local/remote>The function begins by checking if the IRP operation was successful. If it was, it proceeds to process the user buffer of the IRP, which contains the Nsi parameters.
The function then checks if the Nsi parameters are valid and if they contain any entries. If they do, it processes each entry based on its type (TCP or UDP) and hides any ports that are found in the hidden port list.
The function uses a lambda function HidePort to hide the ports. This function moves the memory of the entries, status entries, and process entries to effectively remove the hidden port from the list.
After processing all the entries, the function updates the count of the Nsi parameters to reflect the number of entries after the hidden ports have been removed.
Finally, if an original completion routine was provided in the context, the function calls this routine with the original context and frees the context memory. If no original completion routine was provided, the function simply frees the context memory and returns STATUS_SUCCESS.